Quickly gathering logins/emails with theHarvester and Metasploit

Like GI Joe always said: Knowing is half the battle… And so it is the same with hacking.

One of the first parts of recon in a pentest is gathering valid login names and emails. We can use these to profile our target, bruteforce authentication systems, send client-side attacks (through phishing), look through social networks for juicy info on platforms and technologies, etc.

Where do we get this info? Well without doing a full-blown Open Source Recon (OSINT) style assessment, we can use two simple scripts; Metasploit's search_email_collector.rb and Edge-Security's theHarvester.

theHarvester (luckily for us) just updated to v1.5 and has now fixed some of its previous bugs with searching Bing and LinkedIn. It supports searching Google, Bing, PGP servers, and LinkedIn. Metasploit, under modules/auxiliary/gather, has search_email_collector.rb and uses similar techniques for Google, Bing, and Yahoo.

A quick usage below identifies some users

p.s. you can one line search_email_collector like so in msfcli:

ruby /framework3/msfcli auxiliary/gather/search_email_collector DOMAIN=your_target_domain OUTFILE=output_file_you_want_results_in E

Check the last line for an example wrapper for these two tools.

zombie@haktop:/tools/email/theHarvester# ./theHarvester.py -d defcon.com -b google -l 500


*************************************


*TheHarvester Ver. 1.5 *


*Coded by Christian Martorella *


*Edge-Security Research *


*cmartorella@edge-security.com *


*************************************


Searching for defcon.com in google :


======================================





Total results: 462000


Limit: 500


Searching results: 0


Searching results: 100


Searching results: 200


Searching results: 300


Searching results: 400


Accounts found:


====================


quietpro@defcon.com


nick.s@defcon.com


robert@defcon.com


lynne@defcon.com


@defcon.com


joe@defcon.com


info@defcon.com


dtangent@defcon.com


====================

And search_email_collector.rb usage here:

Running MSF search_email_collector...

[*] Please wait while we load the module tree...
[*] Harvesting emails .....
[*] Searching Google for email addresses from defcon.com
[*] Extracting emails from Google search results...
[*] Searching Bing email addresses from defcon.com
[*] Extracting emails from Bing search results...
[*] Searching Yahoo for email addresses from defcon.com
[*] Extracting emails from Yahoo search results...
[*] Located 7 email addresses for defcon.com
[*] headsets@defcon.com
[*] info@defcon.com
[*] jobs@defcon.com
[*] nick.s@defcon.com
[*] nick@defcon.com
[*] robert@defcon.com
[*] spr@defcon.com

We can wrap both these with a quick (albeit dirty) bash script (this example uses Backtrack paths):

#!/bin/bash

echo "Running MSF search_email_collector..."
echo
ruby /pentest/exploits/framework3/msfcli auxiliary/gather/search_email_collector DOMAIN=$1 OUTFILE=$1_emails.txt E
echo
echo "Running theHarvester on Google, BING, MSN, PGP..."
echo
python /pentest/enumeration/google/theharvester/theHarvester.py -d $1 -b google -l 500 >> $1_emails.txt
python /pentest/enumeration/google/theharvester/theHarvester.py -d $1 -b msn -l 500 >> $1_emails.txt
python /pentest/enumeration/google/theharvester/theHarvester.py -d $1 -b pgp >> $1_emails.txt
cat $1_emails.txt | grep @ |grep -v @edge-security.com |sort > $1_emails.txt
echo
echo "Searching for LinkedIN profiles with theHarverster..."
python /pentest/enumeration/google/theharvester/theHarvester.py -d $1 -b linkedin -l 40 >> $1_emails.txt
echo
echo "Finishing... E-mail Results:"
echo
cat $1_emails.txt